Background
In my attempt to setup OpenVPN for my network, I search through the forum and can't find much information on setting OpenVPN 2.0 using TAP, especially sample configuration file. Most of the HOWTO I found are related to TUN settings. The HOWTO from http://openvpn.sourceforge.net/ was helpful but since I am a newbie to openvpn. It took me a while to figure out how to get thing setup right. In the light of hoping to speed up the adoption of openvpn 2.0 ebuild into gentoo distribution (I love this distribution!!) and also hoping to help out newbie for OpenVPN (like I am) to save time. I have created this mini-HOWTO. Your constructive criticism/suggestion/feedback are most welcome, especially in the light of network security related configuration.

Simplified Server/Client Environment
The system I used for setup OpenVPN server is Gentoo Linux with kernel 2.6.8-r3 (which is gentoo-dev-sources-2.6.8-r3). Later kernel can also be used, the newest one I have used is gentoo-sources-2.6.11-r11. Make sure kernel has TAP/TUN compiled as module or build-in. If compiled as module, make sure you have tun in your /etc/module.autoload.d/kernel-2.6. Linux server/client OpenSSL version is 0.9.7d-r1 or newer version. For windows client, I used Windows XP with SP2 installed. This setup works regardless you are using wireless or not. In my case, Linux client is wired, and Windows XP client is wireless tablet pc.
OpenVPN server has external static IP in this setup.
Protected network: 10.2.0.0
Protected network DNS: 10.2.0.1 10.2.0.2
Protected network VPN server: 10.2.0.3
Protected network domain: homenetwork.local
Protected network is behind a separate hardware based firewall, e.g. Netscreen or Linksys Cable/DSL Wireless Router
OpenVPN server is resided inside the protected network with UDP port 5000 forwarded from outside (Internet) to the OpenVPN server at the firewall.
OpenVPN virtual network: 10.1.0.0
OpenVPN virtual network server IP: 10.1.0.1 (in this example, I named it gateway)
OpenVPN virtual network client IP range: 10.1.0.2 - 10.1.0.10
OpenVPN client can be anywhere in the Internet or other remote LAN (via wireless or wired) with access to the Internet.

Unlike the typical TUN setup, with this setup, you won't need to manually assign virtual IP address to server/client. All client virtual IP are assigned by the server using the virtual IP range specified in the server configuration (parameter ifconfig-pool). Route table entries for virtual client can be managed from the OpenVPN server configuration (under the parameter push "xxxx"). In addition, no ethernet bridging setup is needed in this setup. IMHO, this really makes the system/network administrator life a lot easier.

NOTE: If you are using openvpn 2.1 (not yet in the official portage, hopefully soon) You can added the following line to do port sharing. The following line basically tells openvpn to listen to port 443, if the traffic is openvpn traffic, process it. Otherwise forward it to ssl_webserver.mycompany.com to process as https traffic. One great thing about this is you have one less hole in your firewall.

Code:

port-share ssl_webserver.mycompany.com 443

OpenVPN Linux client configuration (/etc/openvpn/client/local.conf)

Code:

port 1194 # or any other port you want to use
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

cd /etc/openvpn
# foreach sub-directory, we create a symbolic link to the local.conf to the current directory since the new init script don't scan for sub-directory
# anymore instead it looks for .conf files. With the sample environment defined above, we have:
ln -s gateway/local.conf gateway.conf

Windows XP client configuration (My Document\client.ovpn)

Code:

port 1194 # or any other port you want to use
dev tap
remote w.x.y.z # w.x.y.z is external IP of the OpenVPN server

To generate the ta.key (or ta-key.txt), I use the following command (recommended by HOWTO from OpenVPN) to generate on Linux:

Code:

openvpn --genkey --secret ta.key

or

Code:

openvpn --genkey --secret ta-key.txt

Then I basically copy this file to server and all clients machines via secure channel.

To generate the server certificate and key file for /etc/openvpn/gateway, I basically follow the instruction provided by easy-rsa README file. Make sure you specify the purpose of the certificate is Web server when you submit your CSR for your server.

./clean-all
./build-req gateway
cp /root/openvpn/gateway.key /etc/openvpn/gateway
# Send the /root/openvpn/gateway.csr to your CA authority, once it is
# signed by CA authority, they will send you the certificate. Save this
# certificate as gateway.crt under /etc/openvpn/gateway.

To generate the client certificate and key file for /etc/openvpn/client, it will be similar to the server, except the purpose for your client CSR is User instead of Web Server. Otherwise, you may run into "unroutable" problem. Well, at least that is the case for me.

To verify the client certiciate(s) is(are) valid, you can use the following:

Code:

openssl verify -CAfile ca.crt -purpose sslclient client.crt

**You also need to make sure your firewall have udp port 1194 (or whatever port you have specified in your server configuration) opened for your OpenVPN server. In addition, depends on what firewall you are using, you may need to make sure network traffic is allowed into your protected network for your OpenVPN client IP range. Since we are not using ethernet bridge, you will need to add route on your protected lan gateway to tell all machines in the protected lan to forward package to your VPN server when the requester IP belongs to the VPN lan.

Once you have all the configuration file in place, do the following on the server or Linux client.

Code:

/etc/init.d/openvpn start

For Windows XP, start OpenVPN GUI and then load the configuration file client.ovpn under My Document.

Testing
Start up the client side and then do a ping on one of the server in the protected network (10.2.0.0). If you can ping, then you are connected and your packet are routed correctly.

Finishing Touch
After you have verified the network connectivity is all well, if you are using Windows client, you will want to turn your openvpn into automatically start as service instead of starting it manually each time you login. To do that just follow the instruction under section Running OpenVPN as a Windows Service in the INSTALL-Win32 provided by http://openvpn.sourceforge.net/INSTALL-win32.html**Make sure you have all your config files, certificates and keys moved to <openvpn installed directory>/config directory if they are not already there.

Last edited by cchee on Tue Apr 03, 2007 3:22 pm; edited 27 times in total

A: Make sure both server and client configuration files have "tls-auth ta.key #" either enabled or disabled. Plus you want to make sure the server has 0 for # while the client has 1 for #. You can't have one enabled while the other disabled.

Q: I keep getting the following error on the server log when my client connected. What's wrong?

A: Check your client side SSL/TLS certificate. If you are using the server type of the certificate for client, you will get this error. To verify your certificate, type:

Code:

openssl verify -CAfile ca.crt -purpose sslclient mycert.crt

It should returns OK status without any error at all.

Q:All clients connected with the same virtual IP even though I have specified ifconfig-pool in my OpenVPN server configuration. What do I do?

A: Check your client side certificate to make sure you have the correct setup. If the same client want to use the same certificate for multiple connections, then try to add the following in your server configuration if that fits your need.

Code:

duplicate-cn

And then restart your OpenVPN service on the server and try to connect to it again. In general, you are NOT recommended to do so since it makes session tracking harder to pin point particular client side certificate during security audit.

Q:VPN client connected to the VPN server ok, but it can't access any other nodes in the protected network. What do I do?

A: There are two options.
1) In your default gateway, you need to add the route to your protected lan with VPN server as the gateway. Using the sample environment above, you will need to add the following route.

Code:

route add -net 10.1.0.0 netmask 255.255.255.240 gw 10.2.0.3

Note: Why netmask is 255.255.255.240? Because our VPN client IP range is 0 - 10, netmask is given as 255.255.255.240 (which give us 16 entries [0-15]) Power of 2 is always more efficent for router.
2) Use ethernet bridge.

Q: How do I put an access control list to define who can gain access to my VPN?

A: Using the learn-address directive and a shell script. You can easily manage your access control list via a text file. With the sample environment defined above, your will add the following line in to your local.conf of OpenVPN:

The format of the access control list file (text) is simply CN for each line:

Code:

Good.Guy
Good.Girl

Note: With openvpn 2.0 rc6, your access control list file (text) will replace the dot with white space as below:

Code:

Good Guy
Good Girl

Note: With openvpn 2.0 rc17, your access control list file (text) will replace the dot with underscore as below:

Code:

Good_Guy
Good_Girl

Q: After I emerge from the official OpenVPN ebuild in gentoo, my setup broke, can't start openvpn server. What's up?

A: The issue lies within the /etc/init.d/openvpn. The official init script for openvpn in Gentoo has changed slightly. It is expecting the config file to be within the /etc/openvpn not /etc/openvpn/gateway (given the sample environment described in the first post of this topic). So to workaround this, you will need to do two things:

Code:

cd /etc/openvpn; ln -s /etc/openvpn/gateway/local.conf gateway.conf

And then if your local.conf doesn't have cd /etc/openvpn/gateway you will need to add that before any config file loading directive.

Code:

cd /etc/openvpn/gateway
ca ca.crt

Or, if you enjoy typing, you can use absolute path for all files reference in the config file. For example,

Code:

ca /etc/openvpn/gateway/ca.crt

Last edited by cchee on Sat Oct 15, 2005 2:26 pm; edited 15 times in total

For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):

And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment.

Last edited by cchee on Sat Oct 16, 2004 2:04 am; edited 2 times in total

Create your own CA
Easy-RSA comes with OpenVPN. To create your own CA is very easy, just update the vars file accordingly. Then do:

Code:

. vars
./clean-up
./build-ca

You will have the ca.crt and ca.key generated under the KEY_DIR defined in vars.

Create certificate request

Code:

./build-req laptop

You will have the laptop.csr and laptop.key generated under the KEY_DIR defined in vars.

Sign your CSR request(s)
After you have created your CSR for your OpenVPN client, for example, the name of the client is laptop, and you have already generated CA (as described above), and CSR for laptop is under KEY_DIR. Then you will do:

Code:

./sign-req laptop

You will have the laptop.crt generated under the KEY_DIR defined in vars.

Last edited by cchee on Sat Nov 06, 2004 7:14 pm; edited 1 time in total

This cronjob script basically retrieves the CA Root CRL from the CA server (MS Windows Server) in my network using wget. Then I use openssl crl to convert the CRL from DER format to PEM format. wget -q option mute any standard output stuff from wget.

Lastly, I create a symbolic link:

Code:

ln -s /etc/openvpn/gateway/crl-update.cron .

where . is /etc/cron.hourly to have this cronjob runs every hour.

Last edited by cchee on Sat Oct 16, 2004 2:04 am; edited 1 time in total

For those who has Linux as their OpenVPN client, if they want to have the DNS lookup working properly, they will need to add the following into their Linux client configuration (using the above example environment):

And have these scripts under the same directory as the configuration file. Note: Absolute path is needed for client.up in OpenVPN configuration file in order for the up command to work. At least that is the case for my environment.

Thanks to James Yonan for the hints on environment variables being set by OpenVPN before the up/down command are being invoked. To make the above script even more system admin friendly, we replace the client.up.

This way, when you (as being system admin) need to change domain, dns IPs. You don't need to change all the Linux clients' client.up and client.down script manually, all you need to do is update the domain and DNS IP in the server local.conf and it will automagically prepend the correct domain and DNS IPs into the clients' /etc/resolv.conf file.

if my ISP assigns a dynamic ip, should that cause any real problems with a setup like this (essentially for encryption/authentication of wireless nodes in a client/server type setup)

I basically have a gentoo box (2.6. with eth1 grabbing an IP from my ISP via DHCP, and eth0(192.168.0.0) being my private lan. hooked to a wireless access point && 5 port 100mbit switch (befw11s4 linksys)

I'm running iptables, have openvpn installed, and tun/tap compiled into the kernel.. should I be okay with a configuration like this?

Are you trying to
a) access OpenVPN from your home network to external static IP openvpn server? or
b) setup your home OpenVPN server so can you access it from outside (Internet)? or
c) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?

Essentially I am trying to (C) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?

You need to "push" (from OpenVPN server) the changes of the default gateway for all your OpenVPN client wireless nodes to point to OpenVPN server on your LAN instead of your wireless broadband router (linksys befw11s4). I haven't tested this type of setup myself since my setup is more of (A), but I can't think any reason why you won't be able to do it.

I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?

Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed?

I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?

Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed?

Check the README that comes with easy-rsa (which comes with OpenVPN tarball). I used Certificate Server comes with MS Windows Server 2003. In there, when you request to sign a certificate request, they have User and Webserver (plus others) purpose. If you are doing self-sign using Easy RSA, you probably don't need to specify the purpose. Hope this help.

Today, I have installed a VPN following your Mini-HOWTO. The VPN seems to work, now. However, after connecting client C0 to the server, the server client C0 had the ip address 10.1.0.2 in the subnet 255.255.255.0 which seems to be correct. A ping from the client C0 to the server or from the server to the client C0 works, too. Everything seems to be fine, so far.

After connecting client C1 to the server, the client C1 got the ip address 10.1.0.3 which seems to be fine, too. I tried to ping the server 10.1.0.1 and got a response. The server was able to ping 10.1.0.3, too. Seems to be fine.

The Problem:
Client C0 does not get a ping reply from client C1 nor does C1 get any response from C0, although both clients are able to connect and communicate with the server. The server does not report any errors in the log.

Any idea, why?

[edit]:
I have just added the client-to-client option to my server configuration file. Now, C1 can ping C0 but C0 is still not able to ping C1 O_o

Well, I guess it's a firewall problem, now.
[/edit]
[edit²]
It was a firewall problem and the client-to-client option really does make it work
[/edit]

Essentially I am trying to (C) setup OpenVPN between all your wireless nodes and your LAN server so you can "safely" surf the web via your wireless LAN?

You need to "push" (from OpenVPN server) the changes of the default gateway for all your OpenVPN client wireless nodes to point to OpenVPN server on your LAN instead of your wireless broadband router (linksys befw11s4). I haven't tested this type of setup myself since my setup is more of (A), but I can't think any reason why you won't be able to do it.

the wireless router is only being used as a wireless access point/wired switch. the dhcp server, is sitting on my default gateway/iptables gentoo box.. (which is connected directly to the cable modem)_________________Fortune Favours the Brave.

I'm not too familiar with the whole concept of getting a my .csr signed. Who would I go to for that to be signed for my server? I see you have how to sign a clients csr file, but would that work for the main server? Is there a way that I can sign that csr myself?

Also, you mention to specify the purpose of the certificate. Does that get specified somewhere when you make the csr file? or done when you actually get it signed?

Ok, I have my setup working fairly ok now, but I'm still having a little problem. My client can ping the virtual address of the server, and the server can ping the virtual address of the client, but I can't ping anything past that, including the actual IP or any computers on the remote network. I've got my setup exactly as the howto describes except that my protected network is 192.168.1.0 and my virtual network is 192.168.2.0. Any help on this would be appreciated.

Ok, I have my setup working fairly ok now, but I'm still having a little problem. My client can ping the virtual address of the server, and the server can ping the virtual address of the client, but I can't ping anything past that, including the actual IP or any computers on the remote network. I've got my setup exactly as the howto describes except that my protected network is 192.168.1.0 and my virtual network is 192.168.2.0. Any help on this would be appreciated.

Firstly, thank you VERY much for this howto. I have OpenVPN working well.

One question:

I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.

What I need to do now is set up Location 2 (L2) to connect to L1 and create a permanant VPN tunnel, so that clients at L1 can get to L2 and clients at L2 can get to L1. L2 currently has a Linux firewall set up. My plan is to set up this machine as a Linux client to the server at L1

Basically, what I want to know:

Do I need to create a new conf file on the server using a different port for this connection, or can it use 5000? Keep in mind that I still want Windows clients from the net to get into L1.

Firstly, thank you VERY much for this howto. I have OpenVPN working well.

One question:

I have the server set up at Location 1 (L1). It accepts Windows client connections from the internet fine.

What I need to do now is set up Location 2 (L2) to connect to L1 and create a permanant VPN tunnel, so that clients at L1 can get to L2 and clients at L2 can get to L1. L2 currently has a Linux firewall set up. My plan is to set up this machine as a Linux client to the server at L1

Basically, what I want to know:

Do I need to create a new conf file on the server using a different port for this connection, or can it use 5000? Keep in mind that I still want Windows clients from the net to get into L1.

Please advise, and thank you again.

L2 VPN server will be one of the VPN client to L1 server at port 5000. L1 VPN server will be one of the VPN client to L2 server at port OTHER than 5000 (e.g. 6000). If you want L1 clients able to access L2. You may need to add

Code:

client-to-client

in your local.conf on L1 VPN server. In addition, you need to make sure you have proper route in your routing table on both L1 and L2.

L2 VPN server will be one of the VPN client to L1 server at port 5000. L1 VPN server will be one of the VPN client to L2 server at port OTHER than 5000 (e.g. 6000). If you want L1 clients able to access L2. You may need to add

Code:

client-to-client

in your local.conf on L1 VPN server. In addition, you need to make sure you have proper route in your routing table on both L1 and L2.

Ok, so let me see if I have this straight.

I have to add a second conf file to the directory on L1's server that makes a connection to L2's server (which I need to set up)

L2 needs to be installed in server mode as well, so it can accept a connection from L1 (at a different port than 5000). It will also be a client to the server at L1. So, basically we are creating 2 vpn connections for this (in essence)

If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections?

If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections?

The openvpn startup script in Gentoo scan each sub-directory under /etc/openvpn and load the local.conf accordingly. So in your setup, you will have /etc/openvpn/L1 and /etc/openvpn/L2 sub-directories.

If I put both the server configuration (local.conf, as specified above) and the new client.conf (local.conf for clients, as seen above) will the openvpn server at startup automatically read both conf files and create the appropriate connections?

The openvpn startup script in Gentoo scan each sub-directory under /etc/openvpn and load the local.conf accordingly. So in your setup, you will have /etc/openvpn/L1 and /etc/openvpn/L2 sub-directories.

Unfortunatley I am using Redhat on these boxes (not my choice). Can you possibly point me to the startup script so I can see if I can port it?

Ugh. This could be difficult. Would it be possible to have both these functions in one local.conf file? What about if there are 2 conf files in the same directory, but with different names? There is no way I can change it to gentoo, as these boxes are the internet gateways for 2 locations that work 12 hour shifts, and I'm not going to get a chance to take them offline that long.

Ugh. This could be difficult. Would it be possible to have both these functions in one local.conf file? What about if there are 2 conf files in the same directory, but with different names? There is no way I can change it to gentoo, as these boxes are the internet gateways for 2 locations that work 12 hour shifts, and I'm not going to get a chance to take them offline that long.

You also need to consider the certificate and key files for different VPN link. So separate directories help to prevent confusion. You can use the above "script" and put it as /etc/init.d/openvpn. You may need to replace some gentoo specific function with something similar in the RedHat.